The US Cyber Policy Reboot

By Jason Healey

Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative, argues that 2011 has seen the most vigorous effort on the part of the United States government to establish a coordinated set of cyber policies in nearly a decade: “We have been wandering in a policy desert for years and while we may not have reached an oasis, we have found a glass with some water in it.”

First, the issue brief starts with a description of the ‘policy desert:’ There have been six “wake up calls” that generated energetic, short-term action: the Morris Worm and Cuckoo’s Egg intrusion of the late 1980s, the SOLAR SUNRISE intrusion and exercise ELIGIBLE RECEIVER in the late 1990s, the MOONLIGHT MAZE intrusions circa 2000, Chinese espionage dating from the early 2000s and continuing to the present day, the attacks against Estonia and Georgia in 2007and 2008, and finally the BUCKSHOT YANKEE intrusions of 2008. These have been met with ineffective government responses: the 2003 Strategy to Secure Cyberspace was largely ignored; the 2008 Comprehensive National Cybersecurity Initiative was not comprehensive as it focused solely on governmental networks, and the 2009 Cyberspace Policy Review listed short-term actions, and was not a strategic document.

Next, a description of the ‘glass of water’ that shows US efforts moving in the right direction. White House leadership is stronger on cyber issues than it has been in the past, and 2011 saw new cyber strategies released by multiple agencies. The Department of Defense Strategy for Operating in Cyberspace attempts to de-militarize cyberspace, while stating how it will normalize cyberspace operations; US Cyber Command continued its maturation as well. The Department of Commerce released a strategy, and the Securities and Exchange Commission issued guidelines for publicly-traded companies to disclose information to investors if subjected to a significant cyber intrusion. The Department of Homeland Security released its Blueprint for a Secure Cyber Future, which outlines protecting critical infrastructure and strengthening general cybersecurity. To tie these together, the White House released its International Strategy for Cyberspace, which also called for new norms and practices in cyberspace and emphasizing traditional American values of free trade and innovation within an Internet context. Lastly, 2011 ended with some in Congress expecting significant, comprehensive cybersecurity legislation to be passed in 2012: two major Senate bills currently exist, and the House has two major legislative proposals in the works as well.

These cyber policies all have roughly the same shape and contours, such as basic government continuity in its approach but the incorporation of new thinking, and a light, yet expanding, government touch. However, these collectively represent a ‘glass of water’ and not an ‘oasis’. The release of cybersecurity policies, while a good first step, does not automatically equate to action. Risk-averse election-year legislators may lead to these complex issues being simplified and weak legislation being passed, papering over the cracks. Too few leaders have a deep understanding of both cyber issues and the national security interagency process that must be overcome to enact needed policies. The federal government has a difficult time measuring security (via FISMA) when compared to industry leaders. Finally, technology will continue to advance—mobile and cloud technologies are upon us—and will always outpace the bureaucratic and legislative process, exposing government to disruptions.